Carrier IQ, the company behind the controversial mobile intelligence software that has drawn the ire of lawmakers and the public after it was discovered to be operating in the background on over 140 million mobile phones worldwide, released a new, lengthy report late Monday to “help answer numerous questions” about its software’s capabilities.
In the most pressing revelation in the report, called “Understanding Carrier IQ,” Carrier IQ admits that in some “unique circumstances” its software, called “IQ Agent,” contained “an unintended bug” that “unintentionally” captured and transmitted encoded SMS messages to its carrier customers, among whom are some of the nation’s largest wireless companies — Sprint, T-Mobile and AT&T.
Meanwhile, the FBI last week separately responded to a Freedom Of Information Act (FOIA) request submitted by Michael Morisy, creator of FOIA-facilitation website MuckRock, denying Morisy’s request for “Any manuals, documents or other written guidance used to access or analyze data gathered by programs developed or deployed by Carrier IQ.”
The FBI stated that it did have such material pertaining to Carrier IQ, but it was “located in an investigative file which is exempt to disclosure.”
As Morisy pointed out: “What is still unclear is whether the FBI used Carrier IQ’s software in its own investigations, whether it is currently investigating Carrier IQ, or whether it is some combination of both – not unlikely given the recent uproar over the practice coupled with the U.S. intelligence communities reliance on third-party vendors.”
Carrier IQ, for its part, denied ever providing any information to the FBI. In a statement sent to the Washington Post, the company said:
“Carrier IQ has never provided any data to the FBI. If approached by a law enforcement agency, we would refer them to the network operators because the diagnostic data collected belongs to them and not Carrier IQ.”
Still, even without the clarification from the FBI, the full document released by Carrier IQ on Monday is fairly fascinating in its own right.
Carrier IQ stresses that the encoded SMS messages it “unintentionally” captured and transmitted to the carriers due to its software bug “are not human readable,” adding that “the content of any encoded and embedded SMS is not shown or available to Carrier IQ, its Network Operator customers or any other party.”
Carrier IQ continues: “For Network Operators to view the specific content of SMS messages, Carrier IQ would need to write additional software, which has never been done.”
Furthermore, Carrier IQ says that it informed affected customers — that is, those wireless companies running the buggy version of Carrier IQ software — and worked with them to fix the bug.
It’s unclear at this time whether Carrier IQ or the wireless companies informed end users of the bug. TPM has reached out to Carrier IQ for clarificaiton and will update when we receive a response.
Another important revelation from the report: Carrier IQ addresses the now-infamous video demonstration of its software running on an HTC 3D 4G Evo Android phone, saying, as others have pointed out, that the video shows an Android log file displaying a piece of software recording keystrokes, but not the IQ Agent software.
Even more explosively, Carrier IQ charges that the software shown in the video came from the “handset manufacturer,” in this case, HTC. As Carrier IQ writes:
“Our investigation of Trevor Eckhart’s video indicates that location, key presses, SMS and other information appears in log files as a result of debug messages from pre-production handset manufacturer software. Specifically it appears that the handset manufacturer software’s debug capabilities remained ‘switched on’ in devices sold to consumers.”
TPM has reached out to HTC for its official response to these allegations and will update when we receive a response.
Also in the report, Carrier IQ goes on to point out that it records and transmits phone numbers dialed by users (which wireless companies have access to anyway) and that it can record and transmit URLs (but not the “contents” of a webpage), if requested by carriers. The company says that all of this information is transmitted securely “never in a human readable format.”
We also asked Carrier IQ what format it uses to transmit data and who, or what, reads it, and await the company’s response.
Carrier IQ’s report also provides a surprising degree of detail about several other software products it provides to wireless companies, including screenshots of the products in use.
One of these products, the “Mobile Service Intelligence Platform (MISP),” is a network management tool that allows wireless companies to “identify groups of devices” such as during “a new high-profile smartphone launch.”
Another related product, ” IQ Insight” generates a map of dropped calls, displayed by location, allowing a technician to “understand exactly what happened at the time of a failure and use this information to fix issues.”
Carrier IQ also notes that the implementation and specific features of its products vary from wireless company to wireless company, but that “security” of its systems is “paramount” and it hasn’t “experienced any known data breaches.” Furthermore, the company says it has “no rights to the data that is gathered,” and doesn’t provide it to any third party advertisers.
Carrier IQ says that it isn’t finished airing its secrets, either, writing that “It may extend the contents of this document to reflect new questions and issues as they may arise.”
With Carrier IQ executives in Washington, D.C. today — reportedly meeting with lawmakers — the company is certainly not out of the hot seat, not by any stretch of the imagination.
